Security fix

Public project in a private group makes the group page publicly accessible

Sharing a public project with a private group makes the group page publicly accessible. The issue is now mitigated in the latest release and is assigned CVE-2019-9732.

Versions Affected

Affects GitLab CE/EE 10.0.3 and later.

Remediation

We strongly recommend that all installations running an affected version to be upgraded to the latest version as soon as possible.

Upgrade barometer

This version does not include any new migrations, and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.